-----Original Message----- From: Lim, Elly Siew Chin elly.siew.chin.lim@intel.com Sent: Monday, January 18, 2021 4:03 PM To: Tan, Ley Foon ley.foon.tan@intel.com; u-boot@lists.denx.de Cc: Marek Vasut marex@denx.de; See, Chin Liang chin.liang.see@intel.com; Simon Goldschmidt simon.k.r.goldschmidt@gmail.com; Chee, Tien Fong tien.fong.chee@intel.com; Westergreen, Dalon dalon.westergreen@intel.com; Simon Glass sjg@chromium.org; Gan, Yau Wai yau.wai.gan@intel.com Subject: RE: [v2 2/6] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
Hi Ley Foon,
-----Original Message----- From: Tan, Ley Foon ley.foon.tan@intel.com Sent: Monday, January 18, 2021 3:29 PM To: Lim, Elly Siew Chin elly.siew.chin.lim@intel.com; u-boot@lists.denx.de Cc: Marek Vasut marex@denx.de; See, Chin Liang chin.liang.see@intel.com; Simon Goldschmidt simon.k.r.goldschmidt@gmail.com; Chee, Tien Fong tien.fong.chee@intel.com; Westergreen, Dalon dalon.westergreen@intel.com; Simon Glass sjg@chromium.org; Gan, Yau Wai yau.wai.gan@intel.com Subject: RE: [v2 2/6] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
-----Original Message----- From: Lim, Elly Siew Chin elly.siew.chin.lim@intel.com Sent: Thursday, January 7, 2021 6:04 PM To: u-boot@lists.denx.de Cc: Marek Vasut marex@denx.de; Tan, Ley Foon ley.foon.tan@intel.com; See, Chin Liang chin.liang.see@intel.com; Simon Goldschmidt simon.k.r.goldschmidt@gmail.com; Chee, Tien Fong tien.fong.chee@intel.com; Westergreen, Dalon dalon.westergreen@intel.com; Simon Glass sjg@chromium.org; Gan, Yau Wai yau.wai.gan@intel.com; Lim, Elly Siew Chin elly.siew.chin.lim@intel.com Subject: [v2 2/6] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
Vendor Authorized Boot is a security feature for authenticating the images such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and etc loaded from FIT. After those images are loaded from FIT, the VAB certificate and signature block appended at the end of each image are sent to Secure Device Manager (SDM) for
authentication.
U-Boot will validate the SHA384 of the image against the SHA384 hash stored in the VAB certificate before sending the image to SDM for authentication.
Signed-off-by: Siew Chin Lim elly.siew.chin.lim@intel.com
v2
- Renamed SECURE_VAB_AUTH* to SOCFPGA_SECURE_VAB_AUTH*
- Changes in secure_vab.c
- Changed to use SZ_1K for 1024
- Updated comment in secure_vab.c of "... the certificate for T"
- The code will report error before end of the function if reach maximum retry.
- In board_prep_linux function, only execute linux_qspi_enable command if it exists in enviroment variable. It is optional.
arch/arm/mach-socfpga/Kconfig | 15 ++ arch/arm/mach-socfpga/Makefile | 2 + arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 ++++++++ arch/arm/mach-socfpga/secure_vab.c | 193 +++++++++++++++++++++++ common/Kconfig.boot | 2 +- 6 files changed, 275 insertions(+), 1 deletion(-) create mode 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h create mode 100644 arch/arm/mach-socfpga/secure_vab.c
diff --git a/arch/arm/mach-socfpga/Kconfig b/arch/arm/mach- socfpga/Kconfig index 9b1abdaabd..0c35406232 100644 --- a/arch/arm/mach-socfpga/Kconfig +++ b/arch/arm/mach-socfpga/Kconfig @@ -6,6 +6,21 @@ config ERR_PTR_OFFSET config NR_DRAM_BANKS default 1
+config SOCFPGA_SECURE_VAB_AUTH
- bool "Enable boot image authentication with Secure Device
Manager"
- depends on TARGET_SOCFPGA_AGILEX
- select FIT_IMAGE_POST_PROCESS
- select SHA384
- select SHA512_ALGO
- select SPL_FIT_IMAGE_POST_PROCESS
- help
All images loaded from FIT will be authenticated by Secure DeviceManager.+config SOCFPGA_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE
- bool "Allow non-FIT VAB signed images"
- depends on SOCFPGA_SECURE_VAB_AUTH
config SPL_SIZE_LIMIT default 0x10000 if TARGET_SOCFPGA_GEN5
diff --git a/arch/arm/mach-socfpga/Makefile b/arch/arm/mach- socfpga/Makefile index 82b681d870..1f1e21766d 100644 --- a/arch/arm/mach-socfpga/Makefile +++ b/arch/arm/mach-socfpga/Makefile @@ -4,6 +4,7 @@ # Wolfgang Denk, DENX Software Engineering, wd@denx.de. # # Copyright (C) 2012-2017 Altera Corporation <www.altera.com> +# Copyright (C) 2017-2020 Intel Corporation <www.intel.com>
obj-y += board.o obj-y += clock_manager.o @@ -47,6 +48,7 @@ obj-y += mailbox_s10.o obj-y += misc_s10.o obj-y += mmu-arm64_s10.o obj-y += reset_manager_s10.o +obj-$(CONFIG_SOCFPGA_SECURE_VAB_AUTH) += secure_vab.o obj-y += system_manager_s10.o obj-y += timer_s10.o obj-y += wrap_pinmux_config_s10.o diff --git a/arch/arm/mach-socfpga/include/mach/mailbox_s10.h b/arch/arm/mach-socfpga/include/mach/mailbox_s10.h index 4d783119ea..fbaf11597e 100644 --- a/arch/arm/mach-socfpga/include/mach/mailbox_s10.h +++ b/arch/arm/mach-socfpga/include/mach/mailbox_s10.h @@ -118,6 +118,7 @@ enum ALT_SDM_MBOX_RESP_CODE { #define MBOX_RECONFIG_MSEL 7 #define MBOX_RECONFIG_DATA 8 #define MBOX_RECONFIG_STATUS 9 +#define MBOX_VAB_SRC_CERT 11 #define MBOX_QSPI_OPEN 50 #define MBOX_QSPI_CLOSE 51 #define MBOX_QSPI_DIRECT 59 diff --git a/arch/arm/mach-socfpga/include/mach/secure_vab.h b/arch/arm/mach-socfpga/include/mach/secure_vab.h new file mode 100644 index 0000000000..42588588e8 --- /dev/null +++ b/arch/arm/mach-socfpga/include/mach/secure_vab.h @@ -0,0 +1,63 @@ +/* SPDX-License-Identifier: GPL-2.0
- Copyright (C) 2020 Intel Corporation <www.intel.com>
- */
+#ifndef _SECURE_VAB_H_ +#define _SECURE_VAB_H_
+#include <linux/sizes.h> +#include <linux/stddef.h> +#include <u-boot/sha512.h>
+#define VAB_DATA_SZ 64
+#define SDM_CERT_MAGIC_NUM 0x25D04E7F +#define FCS_HPS_VAB_MAGIC_NUM 0xD0564142
+#define MAX_CERT_SIZE (SZ_4K)
+/*
- struct fcs_hps_vab_certificate_data
- @vab_cert_magic_num: VAB Certificate Magic Word (0xD0564142)
- @flags: TBD
- @fcs_data: Data words being certificate signed.
- @cert_sign_keychain: Certificate Signing Keychain */ struct
+fcs_hps_vab_certificate_data {
- u32 vab_cert_magic_num; /* offset 0x10 */
- u32 flags;
- u8 rsvd0_1[8];
- u8 fcs_sha384[SHA384_SUM_LEN]; /* offset 0x20 */
+};
+/*
- struct fcs_hps_vab_certificate_header
- @cert_magic_num: Certificate Magic Word (0x25D04E7F)
- @cert_data_sz: size of this certificate header (0x80)
- Includes magic number all the way to the certificate
signing keychain (excludes cert. signing keychain)
- @cert_ver: Certificate Version
- @cert_type: Certificate Type
- @data: VAB HPS Image Certificate data */ struct
+fcs_hps_vab_certificate_header {
- u32 cert_magic_num; /* offset 0 */
- u32 cert_data_sz;
- u32 cert_ver;
- u32 cert_type;
- struct fcs_hps_vab_certificate_data d; /* offset 0x10 */
- /* keychain starts at offset 0x50 */ };
+#define VAB_CERT_HEADER_SIZE sizeof(struct fcs_hps_vab_certificate_header) +#define VAB_CERT_MAGIC_OFFSET offsetof \
(struct fcs_hps_vab_certificate_header, d)+#define VAB_CERT_FIT_SHA384_OFFSET offsetof \
(struct fcs_hps_vab_certificate_data,\
fcs_sha384[0])+int socfpga_vendor_authentication(void **p_image, size_t *p_size);
+#endif /* _SECURE_VAB_H_ */ diff --git a/arch/arm/mach-socfpga/secure_vab.c b/arch/arm/mach- socfpga/secure_vab.c new file mode 100644 index 0000000000..ea1109611a --- /dev/null +++ b/arch/arm/mach-socfpga/secure_vab.c @@ -0,0 +1,193 @@ +// SPDX-License-Identifier: GPL-2.0 +/*
- Copyright (C) 2020 Intel Corporation <www.intel.com>
- */
+#include <common.h>
Sort alphanumerically.
+#include <asm/arch/mailbox_s10.h> +#include <asm/arch/secure_vab.h> +#include <asm/arch/smc_api.h> +#include <asm/unaligned.h> +#include <exports.h> +#include <hang.h> +#include <image.h> +#include <linux/errno.h> +#include <linux/intel-smc.h> +#include <log.h>
- /*
* Compare the SHA384 found in certificate against the SHA384* calculated from image*/- if (memcmp(hash384, cert_hash_ptr, SHA384_SUM_LEN)) {
puts("SHA384 not match!\n");return -EKEYREJECTED;- }
- mbox_data_addr = img_addr + img_sz - sizeof(u32);
- /* Size in word (32bits) */
- mbox_data_sz = (ALIGN(*p_size - img_sz, 4)) >> 2;
Change 4 to sizeof().
[...]
- debug("ret = 0x%08x, resp = 0x%08x, resp_len = %d\n", ret, resp,
resp_len);- if (ret) {
/** Unsupported mailbox command or device not in the* owned/secure state*/if (ret == MBOX_RESP_UNKNOWN ||ret ==MBOX_RESP_NOT_ALLOWED_UNDER_SECURITY_SETTINGS) {
/* SDM bypass authentication */printf("%s 0x%016llx (%ld bytes)\n","Image Authentication bypassed at address",img_addr, img_sz);return 0;}Should we continue boot if MBOX_RESP_UNKNOWN? That mean user can bypass authentication when mailbox error?
Yes, per my understand from Jeremy before, we should allow HPS to boot if the FW is old version which does not support VAB.
That mean people can purposely use old FW to bypass authentication? I think we need rethink if want support this case.
Regards Ley Foon